Image-Stealing Trojan Exposes Victims to ID Theft, Blackmail

A new breed of malware designed to specifically target image files can expose victims to identity theft, fraud, and blackmail, researchers said. The Pixsteal-A-Trojan finds image files on the infected systems and transfers the copies to a remote FTP server, Raymart Paraiso, a threat response engineer at Trend Micro wrote on the TrendLabs Security Intelligence blog. The affected files formats include .jpg, .jpeg, and .dmp (memory dumps created when the computer or an application crashes).

A new breed of malware designed to specifically target image files can expose victims to identity theft, fraud, and blackmail, researchers said.

The Pixsteal-A-Trojan finds image files on the infected systems and transfers the copies to a remote FTP server, Raymart Paraiso, a threat response engineer at Trend Micro wrote on the TrendLabs Security Intelligence blog. The affected files formats include .jpg, .jpeg, and .dmp (memory dumps created when the computer or an application crashes).

While there have been malware targeting specific file formats in the past (such as the industrial espionage malware focusing on AutoCAD files), most mass information-stealing Trojans have tended to focus on documents and text. Specialized data-stealers have generally been focused on industrial espionage, but cyber-crime-focused malware such as Pixsteal-A-Trojan reflects a shift in where users are increasingly storing sensitive information, Paraiso wrote.

"Users typically rely on photos for storing information, both personal and work-related, so the risk of information leakage is very high," Paraiso wrote.

How Pixsteal-Trojan WorksTrend Micro classified the Pixsteal Trojan as spyware, and said the malware relies on the Internet to infect systems. Another malware on the system may download Pixsteal as part of a dropper, or users may be tricked into downloading the file from a malicious site, Trend Micro warned.

Once on the machine, the Trojan looks for image files stored on the system's C:, D:, and E: drives and copies them into one central location on the c:\ drive, according to Trend Micro. Then it connects to the remote FTP server and transfers the first 20,000 files.

Picture Worth a Thousand WordsWhat kind of risky information can be inside an image file? you may wonder. Do you take screenshots of a receipt or a confirmation page after an online purchase? Perhaps you are moving away from paper records and scanning in your financial and personal records on to your computer. Are there any images—potentially embarrassing or sensitive— that you wouldn't want falling into the wrong hands on your computer?

The Internet Watch Foundation found in a recent survey that 88 percent of explicit or suggestive images posted by young people of themselves on social networking sites later showed up on other "parasite websites," according to a report by the Guardian. Of the 12,224 images and videos posted across 68 different websites monitored over a four-week period, 10,776 were later found on other websites created to display explicit images of young people, the British-based IWF said last month.

"Though it appears tedious, the potential gain for cybercriminals should they be successful in stealing information is high," Paraiso wrote, noting that these images can be used for identity theft, blackmail, or to craft future targeted attacks.

Risks on Mobile Devices The threat of image-focused malware may become a big issue on mobile devices. A military researcher form the Naval Surface Warfare Center in Crane, Indiana and a team from Indiana University created an Android app last month that covertly takes photos with the device's camera every two seconds. The images taken by the PlaceRaider app can provide a detailed view in to the victim's surroundings, and allow malicious adversaries to steal any useable information found in those images, the researchers said in a paper discussing the app. Users remained unaware because PlaceRaider muted the camera shutter sound and took images at lower resolutions to avoid taking up too much storage space or draining the battery.

"Remote burglars" can use the images to reconstruct the physical space, study the environment carefully, and steal virtual objects from the environment, such as financial documents, information on computer monitors, and personally identifiable information, the researchers wrote. The researchers successfully managed to commit "virtual burglary" in this way, handing out infected phones to a group of users and then scrutinizing the resulting images.

"PlaceRaider thus turns an individual's mobile device against him- or herself, creating an advanced surveillance platform capable of reconstructing the user's physical environment for exploration and exploitation," wrote NSWC's Robert Templeman in the paper.

Fahmida Y. Rashid is a senior analyst for business at PCMag.com. She focuses on ways businesses can use technology to work efficiently and easily. She is paranoid about security and privacy, and considers security implications when evaluating business technology. She has written for eWEEK, Dark Reading, and SecurityWeek covering security, core Internet infrastructure, and open source.
Follow me on Twitter: zdfyrashid
More »